Security problems with a SC-CNN-based Chaotic 
Masking Secure Communication System * 



A. B. Orue, G. Alvarez, F. Montoya 
Institute de Fi'sica Aplicada, C.S.I.C. 
c/. Serrano 144, 28006 Madrid, Spain 
abolOimaf f . cf mac . csic . es 

C. Sanchez-Avila 
Dep. Matematica Aplicada a las Tecnologfas de la Informacion, 
E. T.S.I. Telecomunicacion 
Universidad Politecnica de Madrid, Madrid 28040, Spain 



Abstract 

This paper studies the security of a chaotic cryptosystem based 
on the Chua circuit and implemented with State Controlled Cellular 
Neural Networks. It is shown that the plaintext can be retrieved by 
ciphertext band-pass filtering after an imperfect decoding with wrong 
receiver parameters. It is also shown that the key space of the sys- 
tem can be notably reduced easing a brute force attack. The system 
parameters were determined with high precision through the analysis 
of the decoding error produced by the mismatch between receiver and 
transmitter parameters. 

Keywords - Chua atractor, cryptanalysis, chaotic masking. 

1 Introduction 

The possibility of synchronization of two coupled chaotic systems was first 
shown by Pecora and Carrol [H [2] , due to the nonpredictable behavior of 
chaotic variables, it was soon envisaged the possibility of using them in 
the field of secure communications in the same way as the withe noise and 
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random sequences were used in classical cryptography, accordingly, a great 
number of cryptosystems based on chaos have been proposed [31 [H O [U 
El El [9]; some of them fundamentally flawed by a lack of robustness and 
security [71lini[II]. 

The Chua circuit [12^ [T3] is a simple chaotic circuit considered the 
paradigm of chaos. It is defined in its dimensionless form by the follow- 
ing state equations: 

X = a[y — h{x)] , 

y = x-y + z, (1) 

z = -Py, 

with h{x) = mix + 0.5(mi — mo)(|x + 1| — |x — 1|), where x, y and z are the 
system variables; x, y and i, are the derivative the variables with respect to 
the time r; a, /3, ttiq and mi are the system parameters. 

In [H] a Generalized Cellular Neural Network (CNN) CeU Model, was 
introduced, it was shown that it was possible to implement the Chua circuit 
using a State Controlled Cellular Neural Network (SC-CNN) formed by the 
suitable interconnection of tree generalized CNN cells, it is defined by the 
following state equations: 

xi = -xi + siixi + S12X2 + aiyi, 

^2 = -2:2 + S21X1 + S232;3, (2) 

X3 = -X3 + S32X2 + S33X3, 

where yi = 0.5(|xi + 1| — |xi — 1|). 

It can be seen that Eqs. ([T|) are a particular case of Eqs. ([2]) if: 

ai = a{mi - mo); sn = 1 - arm; su = a; S21 = S23 = S33 = 1; S32 = /?. 

Recently it was proposed a new chaotic cryptosystem implemented with 
State Controlled Cellular Neural Network (SC-CNN) [El [IS], it was based 
on chaotic masking system with feedback algorithm [T7]. The results of a 
PSpice simulation were presented in [15] and its hardware implementation 
was described in [16]. The cryptosystem transmitter was defined as: 

xi = -xi + siixi + 512X2 + aiyi, 

X2 = -X2 + m{t) + S23X3, (3) 

^3 = -X3 + S32X2 + S33X3, 
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Figure 1: (a) Variable xi{t) of the transmitter; (b) plaintext s{t); (c) ci- 
phertext m{t) = xi{t) + s{t); (d) retrieved plaintext at the receiver end 
s'{t). 



where m{t) = xi{t) + s{t) is the ciphertext, s{t) is the plaintext and t is the 
variable time. It can be observed the ciphertext m{t) feedback in the in the 
second equation of the system. 



The cryptosystem receiver was defined as: 

x[ = -x[ + sux[ + S12X2 + aiy'i, 
-X2 + m{t) + S23x':i, 
-x's + 832X2 + sssx'^, 

where y'l = 0.5{\x'i + 1| — \x[ — 1|). 



X2 

■ I 

X3 



(4) 



The recovered plaintext s'(t) at the receiver end was calculated as: 
s'{t) = m{t) - x[{t). 



In |15^ [T6] it was given an example with the following values: a = 9, 
P = 14+ |, mo = — J, nil = J, s{t) = sin(27rl000t), as the circuit was 
implemented with real resistances and capacitors of a particular value, it 
turns out that the time response of the circuit remain multiplied by a time 
factor of value t/r = 10^/51, with respect to the dimensionless case. 



The signal waveforms of the variable xi, plaintext, ciphertext and re- 
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Figure 2: Power spectrum of the xi{t) transmitter variable. 
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Figure 3: Chua atractor trajectory projected onto the {x2,xi) plane. 

trieved text are illustrated in Fig. [TJ In the Fig. [2] the frequency power 
spectrum of the xi{t) transmitter variable is depicted, it can be seen that 
most of the energy is located at the band below 2 kHz, this energy corre- 
sponds high amplitude slow oscillations of xi{t), there are also some power 
components of high frequency, that corresponds to the small amplitude rip- 
ple of Xl{t). 

The Fig. [3] shows the double scroll Chua attractor formed by the pro- 
jection on the (x2,xi) plane, in the phase space, of a trajectory portion 
extending along 0.2 s, for the parameter values of the example in [15\ I16j . 
The Chua attractor trajectory draws two 3D loops, in the vicinity of the 
equilibrium points and P~ , with a spiral like shape of steadily growing 
amplitude, jumping from one of them to the other, at irregular intervals, 
in a random like manner. The trajectory may pass arbitrarily near to the 
equilibrium points, but never reach them while in chaotic regime. The two 
asterisks show the location of the attractor equilibrium points, of coordi- 
nates Xip± = ±(1 — ^), X2P± = 0, x^p± = =f(1 — Tn^)i jumps between 
loops corresponds to the low frequency components of the spectrum, while 
the turns around the equilibrium points corresponds to the high frequency 
components. 

In the present paper it is discussed the weaknesses of this secure com- 
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munication system, in the section [2] the weakness of the cryptosystem are 
analyzed and in sections [3] and H] it is shown how to break it by filtering and 
by parameter identification. 

2 Problems with the cryptosystem definition 

Although the authors of [151 US] seemed to base the security of its cryptosys- 
tem on the chaotic behavior of the output of the Chua circuit, no analysis 
of security was included and no indications about key selection, allowable 
plaintext frequency or amplitude and system initial conditions. 

2.1 Missing key specification 

The first issue to be considered in a cryptosystem is the secret key, a cryp- 
tosystem cannot exist without a key. When cryptanalyzing a cryptosystem, 
the general assumption made is that the cryptanalyst knows exactly the 
design and working of the cryptosystem under study, i.e., he knows every 
detail about the ciphering algorithm, except the secret key. This is an evi- 
dent requirement in today secure communications systems, usually referred 
to as principle of Kerchoff [18]. In [15\ [T6] it was not considered whether 
there should be a key in the proposed system, what it should consist of, 
what the available key space would be (how many different keys exist in 
the system), what precision to use, and how it would be managed. None of 
these elements should be neglected when describing a secure communication 
system [HISO]. 

2.2 Reduced hypothetical key space 

A typical assumption of most chaotic cryptosystems designers is that the 
system parameters play the role of key |llj . such premise will be assumed 
in the rest of the article. 

The simplest strategy for breaking a cryptosystem is known as brute 
force attack and consist of trying every possible key on the key space. The 
attack will be affordable in the case of small key space, hence the number 
of possible keys must be as huge as possible. Nowadays the veteran Data 
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Encryption Standard is considered obsolete and abandoned because it has 
only 7.2 x 10^^ different keys! 

The problem of using the Chua circuit as a cryptosystem is that the 
number of possible different combinations of useful parameter values is very 
short. In |21l [22] it is shown that the Chua circuit exhibit almost every 
known bifurcation and chaotic phenomenon described in the literature. Its 
manifold is quite complex, hence it is known as the chaos paradigm. Differ- 
ent combinations of parameters a and (3 lead to many different trajectories 
projected onto the (x2,xi) plane, among them: double-scroll strange attrac- 
tor, sinks, asymmetric periodic orbits, period n orbits, Rossler like spiral, 
heteroclinic orbits, homoclinic orbits and repulsive foci. The only attractor 
behavior suitable for masking the plaintext is the double-scroll attractor, 
other behaviors give place to a very simple waveforms that can not hide the 
plaintext in an efficient manner; but, unfortunately, the region of the (a, (3) 
plane giving rise to it is a small fraction of about 4% of all possible combi- 
nations of parameter values, as shown in I22j. Hence a hypothetical key 
space based on the system parameters would be quite small. 

This situation is worsened by the fact that some Chua circuit parameters 
have a direct relation with the coordinates xi of the attractor equilibrium 
points and P~, that can be approximately delimited watching at the 
ciphertext waveform, what reduces further the key space, as described in 
the section HI 

2.3 Dangerous initial conditions 

For the parameter values of the example given in |15[ [T6] , there are many 
unstable periodic orbits embedded in the double scroll attractor. If for any 
reason during the operation of the system some special points are reached, or 
the initial conditions include them, the system becomes unstable with ever 
growing amplitude of the variables, such points must be considered forbidden 
during normal operation, one of this isolated points is {a;i(0), 3:2(0), 2:3(0)} = 
{1.83487, 0, 2.53784}. A complete forbidden region of the attractor orbit 
and/or initial conditions correspond to the values X2 > 1.08, for any value 
of xi and X3. 
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2.4 Unacceptable plaintexts 

As the plaintext is feeded with high amphtude into the transmitter Eqs. ([3]), 
the normal behavior of the Chua circuit is disturbed. It was found that for 
plaintext frequencies ranging from 4700 Hz to 4970 Hz the attractor orbit 
remained synchronized with the plaintext after some miliseconds following 
the initiation. This is a very dangerous situation because the ciphertext 
reveals the plaintext. 

If the plaintext frequency is comprised between 4970 Hz and 12500 Hz 
a unstable periodic orbit of about 9500 Hz takes place, hence the system is 
not operable for plaintexts with frequencies inside this margin. It must be 
concluded that the acceptable plaintext frequency margin must be limited 
between Hz and less than 4700 Hz, i.e. it seems that it is designed as to 
encipher speech signals. 

3 Breaking the system by bandpass filtering 

The main problem with the cryptosystem proposed in \15\ [T6] is that the 
synchronism mechanism between transmitter and receiver is excessively ro- 
bust, as a result of a design oriented to avoid the problems presented by 
the customary chaotic masking systems. The consequence is that an al- 
most correct synchronism can be reached for an infinite number of receiver 
parameter combinations, for each given transmitter parameter set. 

The Fig. H] illustrates this problem. The system signals are depicted 
for the transmitter parameter values of the the example in [15\ [T6] a = 9, 
P = 14.2857, mi = 0.2857, tjiq = —0.1428; and an arbitrary chosen set of 
receiver parameters values, far away from those of the transmitter: a' = 17, 
P' = 23.3, m[ = 0.1366, m'^ = -m[/2. 

It can be appreciated that the waveform of the receiver chaotic variable 
x'^{t) resembles pretty much the corresponding one xi{t) of the transmit- 
ter. Hence the retrieved plaintext s'{t) differs from the original plaintext 
s{t) mainly in the high frequency components, i.e. the jumps between the 
equilibrium points are alike, but the rate and amplitude of turns around 
them are different, which causes a high frequency noise on the retrieved 
plaintext. This noise can be easily removed by filtering. The Fig. [4] (f) 
shows the recovered plaintext after filtering it with a finite impulse response 
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Figure 4: Plaintext retrieving with wrong parameter guessing; (a) transmit- 
ter chaotic variable xi{t); (b) ciphertext m(t) = xi{t) + s{t); (c) receiver 
chaotic variable x[{t); (d) plaintext s{t); (e) retrieved plaintext s'{t); (f) 
bandpass filtered retrieved plaintext s'{t). 



digital bandpass filter, with 200 taps and a frequency response of 300 Hz to 
3.400 Hz, which is the typical bandwidth of telephone loops. 



4 Breaking the system by parameter determina- 
tion 



A possible way to break the system is the brute force attack, which consists 
of trying all the possible values of its parameters, until a meaningful and 
noise-free plaintext is obtained. The number of different combinations could 
be significantly high, therefore the time needed to try all of them could be 
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Figure 5: Region of the (a, 13) plane giving rise to the double-scroh attractor. 

enormous, making the envisaged task unattainable. Fortunately the param- 
eters search range may be dramatically reduced in various ways, first by 
previous study of the cryptosystem characteristics and, second, analyzing 
the ciphertext waveform. 

4.1 Key space reduction 

In section 12.21 it was mentioned that the region of the (a, (3) plane giving 
rise to the double-scroll attractor in a Chua circuit is a small fraction of all 
possible combinations of parameter values a and (5. As the system [151 [TB] 
differs from the ordinary Chua circuit in that it makes use of feedback, it may 
have a different behavior than this one; hence the region of the (a, (3) plane 
giving rise to the double-scroll attractor was experimentally investigated 
for different combinations of mo and mi values, the results are depicted in 
the Fig. m the points inside this region may cause or not a double scroll 
attractor, depending on the values of mo and ?tii, but the points outside 
this region never cause a double scroll attractor for any combination of mo 
and nil values, therefore they are not suitable for hiding information and 
need not be investigated when mounting a brute force attack; the region 
that must be investigated is approximately delimited by the curves 13 = 
0,0062a2 + 0.92 a + .5 and (3 = 0,157a2 _ o.l6a + 12. Hence the usable 
key space is notably reduced. 

Correspondingly, the region of the (mo,mi) plane giving rise to the 
double-scroll attractor may also be delimited from the Chua circuit defi- 
nition and from the ciphertext as follows. 

According to the definition the Chua system the parameters rriQ and 
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Figure 6: Equilibrium points estimation; (a) transmitter chaotic variable 
xi(t) with Xip+ and Xip~; (b) plaintext s{t); (c) ciphertext m{t) = xi(t) + 
s{t); (d) absolute value of ciphertext 



mi are defined as mo = [Ga/G) + 1 and mi = (Gb/G) + 1, were G is a 
positive conductance while Ga and Gb are the two negative conductances 
of the equivalent circuit of the Chua's nonlinear resistor, they satisfy the 
relation Ga < Gb < 0, hence it follows that 1 > mi > mo- If the coordinates 
of the attractor equilibrium points Xip± = ±(1 — ^) could be determined 
a tighter relationship between mo and mi could be established. 

If the undisturbed transmitter chaotic variable would be accessible, the 
coordinate Xip± = ±(1 — ^) of the equilibrium points could be deter- 
mined from the variable waveform. Figure E](a) shows the waveform of xi{t) 
and the true values of Xip+ and Xip-, corresponding to the example given 
in [lb\ [TU] ; as can be seen it is not a difficult task to approximate the value 
of Xip+ or Xip- as the equidistant line between the relative maxima and 
minima of the positive part or the negative part, respectively, of the xi{t) 
waveform. 

But as the only accessible data to an opponent cryptanalyst is the ci- 
phertext m{t) = xi{t)+ s{t), depicted in Fig.[6](c), the transmitter variable 
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Figure 7: Power spectrum of the receiver decoding error e, with transmitter 
parameters: a = 9, P = 14.2857, tuq = —0.1428, mi = 0.2857; and receiver 
parameters: a' = 4.5, = 9, m-Q = —0.12, m'^ = 0.21. 

xi{t) remains obscured by the presence of the plaintext, so only a coarse es- 
timation of Xip± can be attained, never the less the value may be delimited 
effectively, establishing two easily measurable bounds. As Xip+ = —Xip-, 
it is preferable to work with the absolute value of m(t), represented in 
Fig. [6](d). The value of |xip±| can be delimited between the bounds ximax 
and ximean, being the first one the maximum value of |m(f)| and the second 
one the mean of It is evident from Fig. [6](d) that |xip±| < ximaxit) 

and it was found experimentally, for a large assortment of parameter val- 
ues and plaintexts, that in any case |a;ip±| > \ximeanit)\. In the example 
of [ISI [16] the true value of ^ is ^ = -0.5, hence |xip± I = 1 - ^ = 1.5, 
which is in good agreement with the bounds that were experimentally found 
xiM = 3.00 and xim = 1-41. This fact allows for an important reduc- 
tion of the search range of all the possible values of mo and mi. As 
xiM = 3.00 > ±(1 - ^) > xim = 1.41 and 1 > mi > mo, it follows 
that 1 > mi > and — 0, 41mi > mo > — 2mi. Again the key space is 
additionally reduced. 

4.2 Parameter determination 

As illustrated in Fig. [2l the transmitter variable xi[t), which acts as a noise 
to mask the plaintext, has two well differentiated frequency bands. The first 
one is the low frequency band, with spectral components comprised between 
Hz and 3 kHz, corresponding to the jumps of the atractor between the two 
loops centered at the equilibrium points and P~ , this part effectively 
conceals the plaintext, that has the same frequency band. The second one is 
the high frequency band, located beyond 6 kHz, corresponding to the loops 
of the attractor trajectory around the equilibrium points. 
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Figure 8: Power of the high frequency components of the decoding error 
e, for different sets of receiver parameters vahies: a' = {4,... ,20}; m'l = 
{0.01, . . . , 0.9}; ?n'o = {0.01, . . . , 1.8} 



When the the ciphertext is decoded with an unauthorized receiver, with 
wrong parameter guessing, the retrieved plaintext s'{t) = m{t) — x'^{t) = 
s{t) + — x'i{t) is composed by the plaintext and the decoding error 
e = xi{t) — x'i{t), that can be considered as an unwanted masking noise. 
If the receiver and sender parameters were equal the decoding error will 
disappear, consequently a strategy to retrieve the plaintext may consist 
of determining the receiver parameters that minimize the decoding error. 
Unfortunately the noise and the plaintext share the low frequency band of 
the spectrum, hence it is impossible their complete separation; but still it is 
possible to separate the high frequency band of the decoding error. 

The Fig. [7] illustrates the power spectrum of this error, the low fre- 
quency components are mixed with the plaintext; but the high frequency 
components are far from the plaintext frequencies, therefore the decoding 
error created by the high frequencies of e can be easily extracted from the 
ciphertext by means of high-pass filter with cut-off frequency of 6.5 kHz. 

The Fig. [9] illustrates the logarithm of the power of the high frequency 
components of the decoding error e, for different sets of receiver parame- 
ters a' , m'^ and ttIq in function of the f3' parameter. It can be seen that 
the minimum decoding error is reached when the transmitter and receiver 
parameters agree. All the curves show the same tendency: the decoding 
error grows with the mismatch between the transmitter and receiver param- 
eters, their relative minima is reached for values near to the values of the 
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Figure 9: Story of the parameters value approximation. 



corresponding parameters in the transmitter. 

To determine the parameter values an iterative optimization procedure 
was developed; it consisted of a number of approximation rounds, in each 
round the four parameters were varied one each time, looking for the mini- 
mum decoding error; the first round started from a set of arbitrary param- 
eters cJ = 5, /?' = 7, m!^ = 0.1, m'o = 0.2, it were tried 31 values of each 
parameter inside the limited range defined in the section 14.11 and the value 
giving rise to the lowest decoding error was retained; in each next round the 
margin of variation of each parameter was progressively reduced; the proce- 
dure finished when a stable repeat value of the parameters was reached, the 
number of required rounds were 30 and the elapsed computing time was 965 
seconds, in a 4 GHz Pentium Dual. The Fig. [9] illustrates the story of the 
procedure, sowing the variation of each parameter in function of the round 
number. The parameters values were determined with a precision of five to 
six significative digits, allowing for the exact retrieving of the plaintext. 
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4.3 Conclusion 



The secure communication system described in |15| [16] was studied. It 
was found that the synchronism mechanism is excessively robust, the conse- 
quence is that an almost correct synchronism can be reached for an infinite 
number of receiver parameter combinations, therefore the plaintext can be 
retrieved by simple band-pass filtering after decoding the ciphertext with a 
receiver with wrong parameters. 

It was also found that the key space of the system can be notably reduced 
by means of the study of the geometric properties and the the chaotic regions 
of the Chua atractor, making feasible a brute force attack. Finally the 
parameters of the system were determined with high precision analyzing and 
minimizing the decoding error created by the mismatch between receiver and 
transmitter parameters. 
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